Congress, don't be fooled by cybersurveillance bill

By Jared Polis

Updated 7:55 AM ET, Fri December 18, 2015

Chat with us in Facebook Messenger. Find out what's happening in the world as it unfolds.

Photos:How the Sony hack unfolded

How the Sony hack unfolded – Sony Pictures announce the controversial comedy "The Interview," a film depicting the assassination of North Korea's leader, will have a limited release on Christmas Day. The studio previously announced it would shelve plans to release the film after it became the victim of a cyber attack thought to have originated in North Korea. Click to see how the saga unfolded.

Hide Caption

1 of 17

Photos:How the Sony hack unfolded

In June 2014, a North Korean Foreign Ministry spokesman said "The Interview" was "the most undisguised terrorism." "If the U.S. administration connives at and patronizes the screening of the film, it will invite a strong and merciless countermeasure," he said.

Hide Caption

2 of 17

Photos:How the Sony hack unfolded

In November, "The Guardians of Peace," a hacker group with suspected ties to North Korea, said that it had hacked Sony Pictures and released massive amounts of data. The group added that there would be more leaks.

In early December, hackers emailed Sony employees warning that "your family will be in danger." Guardians of Peace have claimed the email did not come from them. The FBI confirmed in a statement they were aware of the email and are investigating the "person or group responsible for the recent attack on the Sony Pictures network." Many security experts said the hack increasingly pointed to North Korea.

Hide Caption

5 of 17

Photos:How the Sony hack unfolded

December 7 -- North Korea's state-run propaganda arm said they were not responsible for the Sony hack attack but applauded it as "a righteous deed of the supporters and sympathizers with the DPRK." They added they could not be responsible as America is "a country far across the ocean."

Hide Caption

6 of 17

Photos:How the Sony hack unfolded

December 8 -- Another message appeared on a website saying: "We have already given our clear demand to the management team of SONY, however, they have refused to accept. Do carry out our demand if you want to escape us. And, Stop immediately showing the movie of terrorism which can break the regional peace and cause the War!"

Hide Caption

7 of 17

Photos:How the Sony hack unfolded

Sony Hack Timeline – December 11 -- Another leaked email revealed a controversial exchange between a Sony executive and a producer, speculating over President Barack Obama's favorite films, referring to "Django Unchained" and other movies about African Americans such as "12 Years a Slave."

Hide Caption

8 of 17

Photos:How the Sony hack unfolded

December 15 -- Sony Pictures asked news organizations to stop examining and publicizing the information made public by the hackers. Attorney David Boies said that the hackers' tactics are part of "an ongoing campaign explicitly seeking to prevent [Sony] from distributing a motion picture."

Hide Caption

9 of 17

Photos:How the Sony hack unfolded

December 16 -- In an email to Sony Pictures' co-chair Amy Pascal, producer Scott Rudin called Angelina Jolie "minimally talented" and a "spoiled brat" with a "rampaging... ego". Jolie and Pascal were later photographed running into each other at an event with Jolie giving Pascal a nasty look. The leaks also revealed the secret aliases of some well-known actors such as Tom Hanks, Sara Michelle Gellar and Jessica Alba.

Hide Caption

10 of 17

Photos:How the Sony hack unfolded

December 16 -- The New York premiere of "The Interview" was canceled after "The Guardians of Peace" posted a threat against moviegoers. The message said: "We will clearly show it to you at the very time and places 'The Interview' be shown, including the premiere, how bitter fate those who seek fun in terror should be doomed to," the hacking group said. "The world will be full of fear. Remember the 11th of September 2001."

Hide Caption

11 of 17

Photos:How the Sony hack unfolded

December 17 -- Two former Sony employees sued the company for failing to protect their private information. The plaintiffs seek to form a class action lawsuit of up to 15,000 former employees. The plaintiffs want Sony to provide them with five years of credit monitoring, bank monitoring, identity theft insurance and credit restoration services. They also called for Sony to be subject to regular privacy audits.

Hide Caption

12 of 17

Photos:How the Sony hack unfolded

December 18 -- Sony decided to cancel the release of "The Interview," a decision that sparked outrage among celebrities and politicians. A movie theater in Texas announced they would offer a free screening of Team America -- which features the leader's father Kim Jong Il -- instead until Paramount shut that down too. Sony also downplayed the possibility that the film could be released online.

Hide Caption

13 of 17

Photos:How the Sony hack unfolded

December 19 -- President Obama said in a news conference that Sony "made a mistake" in response to the studio's decision to cancel its plans to release "The Interview" on Christmas Day. He told CNN later that week that the Sony hack was an act of "cybervandalism", not "an act of war".

Hide Caption

14 of 17

Photos:How the Sony hack unfolded

December 21 -- Sony Pictures' CEO Michael Lynton responds to President Obama's comments, telling CNN "we did not cave or back down." Mr Lynton also said Sony were looking into releasing "The Interview" on the internet but no major distributor has volunteered to release the film.

Hide Caption

15 of 17

Photos:How the Sony hack unfolded

How the Sony hack unfolded – December 22 -- North Korea's internet goes black for more than nine hours. The cause of the outage is unknown, but experts have suggested that a lone hacker could have carried it out, others even argued that the North Korean government could have deliberately disconnected themselves.

Hide Caption

16 of 17

Photos:How the Sony hack unfolded

How the Sony hack unfolded – December 23 -- Sony Pictures announced "The Interview" will be released on Christmas Day but only in a limited number of theatres. The studio's CEO Michael Lynton said: "while we hope this is only the first step of the film's release, we are proud to make it available to the public and to have stood up to those who attempted to suppress free speech." So far more than 200 independently-owned theatres have agreed to show the film.

Hide Caption

17 of 17

Story highlights

Congress is slated to vote on the Cybersecurity Information Sharing Act (CISA)

Of course, we must improve our nation's cybersecurity both in the government and in the private sector. Over the past two years, cybersecurity failures in the face of malicious attacks have become alarmingly common. The attacks have compromised sensitive government information, rattled our nation's tech sector and exposed Americans' personal information to the public.

Jared Polis

But when Congress tackles these issues, we have to distinguish between thoughtful, targeted solutions to problems that empower private sector businesses and sweeping "solutions" meant to convey the appearance of improved security while actually harming it.

A measure slipped at the last minute into a government-funding bill that Congress is slated to vote on this week: the Cybersecurity Information Sharing Act.

If CISA's only problem were that it's ineffective, that would be one thing. We'd object to it, but perhaps not quite so strenuously. But CISA doesn't just fail to address our existing cybersecurity problems; it stands to create a whole raft of new ones.

Read More

Worse still, by slipping this bill into must-pass legislation, House leaders are giving privacy-minded members of Congress an impossible choice: allow a bill that threatens Americans' civil liberties to become law or force a government shutdown.

Forcing representatives to sell out their constituents in this way as a condition of funding the basic operations of the government hardly seems consistent with the "open process" and "regular order" that Speaker Paul Ryan and Senate Majority Leader Mitch McConnell have repeatedly promised.

CISA's premise is simple: The bill would encourage companies to share information about cyberthreats with the federal government by granting them protection from liability.

In theory, the bill is meant to combat big hacks such as those that affected Sony, Anthem or Home Depot. But in practice, CISA probably wouldn't have stopped any of these well-publicized attacks and probably won't stop future ones.

Why? Because information-sharing is only a small part of the comprehensive cybersecurity strategy we need to protect ourselves from hackers -- and it's not even one of the important parts.

Instead of limiting our focus to information sharing, we should be addressing how rarely cybersecurity best practices are used on both private- and government-operated networks. Too many public and private entities simply don't take advantage of tools already at their disposal to protect themselves from hackers. No amount of information sharing will help solve that problem.

And what's the price of this false sense of security?

A dangerous disregard for the privacy rights of the individuals whose personal information is located on companies' networks (likely including yours). CISA would give the National Security Agency and other federal agencies broad new discretion to scrutinize and store Americans' private information -- even in the absence of evidence that the information is relevant to a cyberthreat.

We know how that movie ends. The federal government has an exceptionally poor record of behaving responsibly with Americans' personal information when entrusted with it. The NSA has broken privacy rules or overstepped its legal authority thousands of times a year since Congress gave it broad new powers in 2008.

Lawmakers who support CISA will tell you the bill includes some privacy protections. They're right. But these "protections" are superficial and include broad loopholes that are so far-reaching as to render the protections meaningless.

For example, the bill includes language directing companies to "scrub" information clean of any personally identifiable information before sharing it with the government. But the way the bill is written, companies are only directed to scrub personal information if they have affirmative evidence that the information is not relevant to a cyberthreat -- a virtually impossible standard since it requires the company to prove that something doesn't exist.

Now that CISA will soon become law, companies will be encouraged to disseminate information about our patterns of Internet use and even the content of our online communications to the government in virtually all circumstances.

We all agree that Congress must take action to stop attacks on cybernetworks and safeguard Americans' private information. CISA, however, is nothing more than a surveillance bill disguised as a solution to that problem.